Skip to main content
The Globe and Mail
Support Quality Journalism.
The Globe and Mail
First Access to Latest
Investment News
Collection of curated
e-books and guides
Inform your decisions via
Globe Investor Tools
Just$1.99
per week
for first 24 weeks

Enjoy unlimited digital access
Enjoy Unlimited Digital Access
Get full access to globeandmail.com
Just $1.99 per week for the first 24 weeks
Just $1.99 per week for the first 24 weeks
var select={root:".js-sub-pencil",control:".js-sub-pencil-control",open:"o-sub-pencil--open",closed:"o-sub-pencil--closed"},dom={},allowExpand=!0;function pencilInit(o){var e=arguments.length>1&&void 0!==arguments[1]&&arguments[1];select.root=o,dom.root=document.querySelector(select.root),dom.root&&(dom.control=document.querySelector(select.control),dom.control.addEventListener("click",onToggleClicked),setPanelState(e),window.addEventListener("scroll",onWindowScroll),dom.root.removeAttribute("hidden"))}function isPanelOpen(){return dom.root.classList.contains(select.open)}function setPanelState(o){dom.root.classList[o?"add":"remove"](select.open),dom.root.classList[o?"remove":"add"](select.closed),dom.control.setAttribute("aria-expanded",o)}function onToggleClicked(){var l=!isPanelOpen();setPanelState(l)}function onWindowScroll(){window.requestAnimationFrame(function() {var l=isPanelOpen(),n=0===(document.body.scrollTop||document.documentElement.scrollTop);n||l||!allowExpand?n&&l&&(allowExpand=!0,setPanelState(!1)):(allowExpand=!1,setPanelState(!0))});}pencilInit(".js-sub-pencil",!1); // via darwin-bg var slideIndex = 0; carousel(); function carousel() { var i; var x = document.getElementsByClassName("subs_valueprop"); for (i = 0; i < x.length; i++) { x[i].style.display = "none"; } slideIndex++; if (slideIndex> x.length) { slideIndex = 1; } x[slideIndex - 1].style.display = "block"; setTimeout(carousel, 2500); } //

This is the third in a four-part series on Internet security, how to monitor and prevent threats to the computers and networks of a small business, and how to combat breaches when they occur.

"Canadians are very well-intentioned people," says Ben Sapiro, a security expert at TELUS. "The notion of someone leaving and intentionally or unintentionally doing you some harm after the fact isn't something we like to think about."

Yet it happens all the time.

Story continues below advertisement

Keeping your small business' data secure is hard enough when your staff is in place. But it gets especially tricky when someone leaves - and all the more so when someone leaves under a cloud.

Mr. Sapiro, along with colleagues at TELUS and the University of Toronto's Rotman School of Business, has surveyed hundreds of Canadian businesses to assess their security techniques. Among their findings: small businesses suffer most of their data breaches due to negligence on the part of an employee, and that the smaller a company is, the more at-risk they are when it comes to staff turnover.

Walid Hejazi, a professor of business economics at Rotman, points to three main causes in cases where data walks away with employees. First, employees erroneously think they own data they create - "It's my data; I built the database, so it's mine," as Prof. Hejazi puts it.

Second, they may wish, illegally, to sell it.

Third, they merely want to keep that information on file for when they find new employment - even though it might consitute a major breach of confidential information.

Once you've trusted an employee with access to your information, that trust is your first line of defence. But a combination of preparation, education, and thoroughness can help cover your assets at times of change.

Here are some suggestions for keeping your valuable data safe:

Story continues below advertisement

1. Prevention and education are key.

The first key to keeping data from walking away with your employees is to make sure that you're on the same page as your employees to begin with.

First and foremost comes the understanding that, for all the sweat employees put into creating intellectual property for the company, that data still belongs to the company, and can't follow them when they leave.

"The best place to start out is with an employment contract," says Mr. Sapiro. Such a contract would spell out the business owner's right to inspect any computer for proprietary data - even if the computer belongs to the employee.

"This sets the expectations with the employee, and gives the employer certain recourses," says Sapiro.

2. Make an orderly transition.

Story continues below advertisement

Assuming that the employee's departure is amicable, make sure you have the information you need from them before they go. Ask for their passwords, and immediately make sure that their e-mail forwards to someone else.

"This person has for some time been representing this company and you don't want those relationships to end," says Tom Keenan, a professor of environmental design at the University of Calgary.

Then, start fresh. Prof. Keenan suggests make a backup of a computer's hard drive, using backup software and DVDs, and reformatting the computer from the disks that came with it. You never know what malware (or pirated software) the employee might have inadvertently acquired, or personal information they might have left behind. It's good practice to let the machine's next owner start from scratch.

3. Be vigilant about passwords.

Changing all the relevant passwords is an obvious first step, but being thorough can be difficult.

Sometimes employees will have access to shared or master logins. (For instance, does anyone in your office share a login like 'admin'? Time to change that, and give everyone their own.) Be sure to change passwords for remote-access applications, any online-database services you might be paying to subscribe to, and most especially any online stores you purchase from. (Unless you want 100 prank books ordered in your name from Amazon.)

Story continues below advertisement

Even if they don't plan to conduct industrial espionage, you never know who's squirreled away login information to a useful website or ten. That alone is a good reason to rotate all your passwords on a regular basis - and not to be too predictable about it.

"A guy showed me, after he left a major city government, that he could still get into their financial files," recalls Prof. Keenan. "I said, but you've been gone for a year. And he said, every month they change the password, and the first part of it is the first three letters of the month."

4. Watch out for USB keys.

USB keys spell security trouble even when employees are with a company - and it just gets worse after they leave.

For instance, many employees are in the habit of throwing their work onto a USB key at the end of the day, so they can continue their work at home. But these keys are easily lost, and - being in such abundant supply - they change hands with great frequency without being cleaned. An employee might take some spreadsheets containing credit card numbers home on a USB key, only to unthinkingly use the same key a week later to pass a PowerPoint presentation to a client.

Commercial encryption technology is one solution. Alternately, it's possible to disable USB keys on company computers - in which case, a company should make sure that there's a web-based file-sharing service at their employees' disposal.

Story continues below advertisement

But this is an area where education and vigilance might be most helpful. Have clear policies about taking work home on USB devices, and make it clear that when an employee leaves, they can't take a USB key's worth of company data home with them.

5. Keep your eyes on the cloud.

The arrival of so-called "cloud computer" services like Google Apps - which doesn't live on any single computer, but instead runs as a site you log into with your browser - means it's not just your network you have to secure.

Online applications are great for collaboration: one user creates a document, and grants other users access to it. Especially if your organization is using Google Docs, make sure that these documents are created through a company account, or one of the principals' accounts - and not the personal account of an employee.

If it so happens that the documents are "owned" (in the computing sense, not the legal one) by an employee, and that employee leaves the organization under less-than-ideal circumstances, they can withdraw access to the formerly-shared documents. This can lead to a personal wrangle, if not a legal one.

Also, remember that employees will often grant access to shared company documents to third-parties - clients, contractors, and colleagues. This might be perfectly legitimate at the time, but when employees leave, the access rights they granted might live on, unnoticed.

Story continues below advertisement

Mr. Sapiro suggests that principals should down with staff periodically to review who has access to company accounts, and whether they still need it.

Special to The Globe and Mail

The series continues with a new post every Monday for the next week. Stories can be found on the Web Strategy section of the Your Business website.

Report an error
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies